In March 2020, the NHS quietly announced a massive data-sharing initiative involving a handful of Big Tech firms including Google, Microsoft, Amazon, and the controversial Palantir Technologies.
The idea was to leverage the power of these tech giants to analyse massive amounts of pandemic data in real-time in a centralised location, thus facilitating a much more rapid, efficient and effective coordinated response to the pandemic.
The thinking behind it all was ultimately noble: lives would be saved. That effectively gave the NHS the justification needed to move ahead with sharing mountains of UK health data with private organizations.
The enormous covid datastore is supposed to be a temporary emergency measure, strictly limited in scope to address the deadly pandemic.
At the time, the NHS stated in a blog post announcing the initiative that “the data will only be used for Covid-19 and not for any other purpose”, and “once the public health emergency situation has ended, data will either be destroyed or returned in line with the law and the strict contractual agreements that are in place between the NHS and partners.”
But with no definition around the end of the public health emergency, there are fears this could be used as the pretext for keeping the data for some time to come.
Those fears were heightened in December 2020 when the NHS struck a lucrative deal with Palantir Technologies worth £23.5 million and extending to December 2022. It set out to continue using NHS data to optimise vaccine rollout efforts but also applied them to other non-covid initiatives, including Brexit and flu vaccinations.
The contract between the two includes a clause that mentions a ‘Recovery of Critical Services’ tool, and affords the buyer the ability to “transition this Tool for general business-as-usual monitoring”. Additionally, it states that a “Strategic Decision Makers Dashboard (SDMD) provides a unified dashboard to assist executives across the health and care system to coordinate national response to COVID-19 and EU Exit.”
In a blog post announcing the deal, Ming Tang, the NHS’s national director for data and analytics, expressed the need to “continue to improve the way that data is managed and used by the system while maintaining high standards of public trust and promoting transparency.”
Indeed, maintaining public trust and promoting transparency is critical in any initiative that involves the government sharing massive amounts of health data with private companies. The problem with Tang’s statement, however, is that the NHS has done very little in recent memory that could conceivably engender public trust in its methods from a data perspective.
Look no further than the NHS contact tracing app which was riddled with security vulnerabilities and a beta version which didn’t encrypt user data, while Public Health England failed to complete the mandatory Data Protection Impact Assessment prior to launching the test and trace programme last May.
The campaigning investigative website openDemocracy and the open government organisation Foxglove are currently seeking a judicial review of the deal with Palantir, which they say was awarded without competitive tender or data protection impact assessments.
An NHS spokesperson told Sky News that “the NHS completed a Data Protection Impact Assessment in April 2020, and an update will be published in due course”. But that assessment was completed for the original Covid-19 datastore – the datastore that was supposed to be temporary in nature and billed as an emergency stopgap to curb the spread of the virus. That the NHS has thus far failed to produce an updated Data Protection Impact Assessment that addresses the Palantir deal three months ago is concerning.
openDemocracy’s editor-in-chief, Mary Fitzgerald, summed up the organisation’s basis for legal action against the NHS: “This lawsuit was a last resort. We tried for months to get transparency from Matt Hancock and the government about their long-term plans for NHS data after the pandemic. Instead, they bounced a massive new contract past us and are seemingly hoping, through their new NHS white paper, to make their emergency data deal a permanent one. We think people have a right to know all the facts, and to make their views heard, before that happens.”
The government must have been aware that the deal would not sit particularly well with the public. Also telling is how heavily redacted the publicly released contract is, especially the section listing the classes of data involved in the deal – the entire list has been redacted. Why the lack of transparency?
Nothing much about this deal is or has been transparent. Nothing about this deal is conducive to establishing any level of public trust in the NHS’s ability to protect UK citizens’ health data.
Mr Hancock and the NHS need to understand this. They need to walk the walk if they’re going to talk the talk. Consult with the public accordingly, conduct a proper data protection impact assessment, and don’t quietly facilitate deals involving sensitive personal information.
Instead be accountable, be transparent, be trustworthy.